Bug 660612 - Utf8ToOneUcs4Char passes invalid UTF-8 octets '%ED%A0%80', so decodeURIComponent('%ED%A0%80') doesn't throw. r=jwalden
authorMasahiro Yamada <masa141421356@gmail.com>
Tue, 05 Jul 2011 09:38:35 -0700
changeset 73050 0d5626387b8a773562961546b801f1511cdf9984
parent 73049 94bf463e00408dc4d875592387a420ac56189d0b
child 73051 91aad2148739c317fb3aa42dbe036ba82f271a31
push idunknown
push userunknown
push dateunknown
reviewersjwalden
bugs660612
milestone8.0a1
Bug 660612 - Utf8ToOneUcs4Char passes invalid UTF-8 octets '%ED%A0%80', so decodeURIComponent('%ED%A0%80') doesn't throw. r=jwalden
js/src/jsstr.cpp
js/src/tests/ecma_5/Global/bug660612.js
js/src/tests/ecma_5/Global/jstests.list
--- a/js/src/jsstr.cpp
+++ b/js/src/jsstr.cpp
@@ -136,17 +136,17 @@ static JSBool
 str_decodeURI_Component(JSContext *cx, uintN argc, Value *vp);
 
 static JSBool
 str_encodeURI(JSContext *cx, uintN argc, Value *vp);
 
 static JSBool
 str_encodeURI_Component(JSContext *cx, uintN argc, Value *vp);
 
-static const uint32 OVERLONG_UTF8 = UINT32_MAX;
+static const uint32 INVALID_UTF8 = UINT32_MAX;
 
 static uint32
 Utf8ToOneUcs4Char(const uint8 *utf8Buffer, int utf8Length);
 
 /*
  * Global string methods
  */
 
@@ -5638,18 +5638,18 @@ Utf8ToOneUcs4Char(const uint8 *utf8Buffe
         JS_ASSERT((*utf8Buffer & (0x100 - (1 << (7-utf8Length)))) ==
                   (0x100 - (1 << (8-utf8Length))));
         ucs4Char = *utf8Buffer++ & ((1<<(7-utf8Length))-1);
         minucs4Char = minucs4Table[utf8Length-2];
         while (--utf8Length) {
             JS_ASSERT((*utf8Buffer & 0xC0) == 0x80);
             ucs4Char = ucs4Char<<6 | (*utf8Buffer++ & 0x3F);
         }
-        if (JS_UNLIKELY(ucs4Char < minucs4Char)) {
-            ucs4Char = OVERLONG_UTF8;
+        if (JS_UNLIKELY(ucs4Char < minucs4Char || (ucs4Char >= 0xD800 && ucs4Char <= 0xDFFF))) {
+            ucs4Char = INVALID_UTF8;
         } else if (ucs4Char == 0xFFFE || ucs4Char == 0xFFFF) {
             ucs4Char = 0xFFFD;
         }
     }
     return ucs4Char;
 }
 
 namespace js {
new file mode 100644
--- /dev/null
+++ b/js/src/tests/ecma_5/Global/bug660612.js
@@ -0,0 +1,7 @@
+try {
+    decodeURIComponent('%ED%A0%80');
+    assertEq(true, false, "expected an URIError");
+} catch (e) {
+  assertEq(e instanceof URIError, true);
+  reportCompare(true,true);
+}
--- a/js/src/tests/ecma_5/Global/jstests.list
+++ b/js/src/tests/ecma_5/Global/jstests.list
@@ -4,8 +4,9 @@ script parseInt-01.js
 script parseFloat-01.js
 script eval-01.js
 script eval-02.js
 script eval-inside-with-is-direct.js
 script parenthesized-eval-is-direct.js
 script eval-native-callback-is-indirect.js
 script direct-eval-but-not.js
 script eval-in-strict-eval-in-normal-function.js
+script bug660612.js